Merge "Allow extra error code in device ID attestation"

        vector<Certificate> attested_key_cert_chain;

        auto result = GenerateKey(builder, attest_key, &attested_key_blob,

                                  &attested_key_characteristics, &attested_key_cert_chain);

        ASSERT_TRUE(result == ErrorCode::CANNOT_ATTEST_IDS || result == ErrorCode::INVALID_TAG)

                << "result = " << result;

        device_id_attestation_vsr_check(result);

        device_id_attestation_check_acceptable_error(invalid_tag.tag, result);

    }

}

    ASSERT_EQ(result, ErrorCode::OK);

    KeyBlobDeleter attested_deleter(keymint_, attested_key_blob);

    device_id_attestation_vsr_check(result);

    AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);

    AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);

    ASSERT_EQ(result, ErrorCode::OK);

    KeyBlobDeleter attested_deleter(keymint_, attested_key_blob);

    device_id_attestation_vsr_check(result);

    AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);

    AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);

        // Add the tag that doesn't match the local device's real ID.

        builder.push_back(invalid_tag);

        auto result = GenerateKey(builder, &key_blob, &key_characteristics);

        ASSERT_TRUE(result == ErrorCode::CANNOT_ATTEST_IDS || result == ErrorCode::INVALID_TAG);

        device_id_attestation_vsr_check(result);

        device_id_attestation_check_acceptable_error(invalid_tag.tag, result);

    }

}

    *signingKey = std::move(pubKey);

}

void device_id_attestation_vsr_check(const ErrorCode& result) {

    if (get_vsr_api_level() > __ANDROID_API_T__) {

        ASSERT_FALSE(result == ErrorCode::INVALID_TAG)

// Check the error code from an attempt to perform device ID attestation with an invalid value.

void device_id_attestation_check_acceptable_error(Tag tag, const ErrorCode& result) {

    // Standard/default error code for ID mismatch.

    if (result == ErrorCode::CANNOT_ATTEST_IDS) {

        return;

    }

    // Depending on the situation, other error codes may be acceptable.  First, allow older

    // implementations to use INVALID_TAG.

    if (result == ErrorCode::INVALID_TAG) {

        ASSERT_FALSE(get_vsr_api_level() > __ANDROID_API_T__)

                << "It is a specification violation for INVALID_TAG to be returned due to ID "

                << "mismatch in a Device ID Attestation call. INVALID_TAG is only intended to "

                << "be used for a case where updateAad() is called after update(). As of "

                << "VSR-14, this is now enforced as an error.";

    }

    // If the device is not a phone, it will not have IMEI/MEID values available.  Allow

    // ATTESTATION_IDS_NOT_PROVISIONED in this case.

    if (result == ErrorCode::ATTESTATION_IDS_NOT_PROVISIONED) {

        ASSERT_TRUE((tag == TAG_ATTESTATION_ID_IMEI || tag == TAG_ATTESTATION_ID_MEID ||

                     tag == TAG_ATTESTATION_ID_SECOND_IMEI))

                << "incorrect error code on attestation ID mismatch";

    }

    ADD_FAILURE() << "Error code " << result

                  << " returned on attestation ID mismatch, should be CANNOT_ATTEST_IDS";

}

// Check whether the given named feature is available.

void check_maced_pubkey(const MacedPublicKey& macedPubKey, bool testMode,

                        vector<uint8_t>* payload_value);

void p256_pub_key(const vector<uint8_t>& coseKeyData, EVP_PKEY_Ptr* signingKey);

void device_id_attestation_vsr_check(const ErrorCode& result);

void device_id_attestation_check_acceptable_error(Tag tag, const ErrorCode& result);

bool check_feature(const std::string& name);

AuthorizationSet HwEnforcedAuthorizations(const vector<KeyCharacteristics>& key_characteristics);